11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M...
-
Upload
nigel-boone -
Category
Documents
-
view
214 -
download
0
Transcript of 11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M...
11/10/2003 Pki4ipsec-nov03-agenda
BOFProfiling Use of PKI in IPsec
pki4ipsec
Chairs:
Gregory M Lebovitz ([email protected])
Steve Hanna ([email protected])
11/10/2003 Pki4ipsec-nov03-agenda
Agenda
• Agenda Bashing - 5 min
• Summary of Effort - 5 min
• Needs Assessment, Steve Hanna – 5 min,
• Architecture - 15 min
• Review Existing Docs/Text - 45 min
• Charter Bashing - 45 min
• Next Steps - 10 min
11/10/2003 Pki4ipsec-nov03-agenda
Architecture
• Presentation
http://www.projectdploy.com/draft-dploy-requirements-00.pdf
• Review and discussion
11/10/2003 Pki4ipsec-nov03-agenda
Current Profile Text/Thought
• draft-ietf-ipsec-pki-profile-03.txt – Korver
• Dploy draft – Gregory Lebovitz
http://www.projectdploy.com/draft-dploy-requirements-00.pdf
• Certificate Handling Profiles – P. Hoffman
http://www.vpnc.org/ipsec-pki-profile.pdf
• Clarifying questions on Current Text
11/10/2003 Pki4ipsec-nov03-agenda
Scope
• IPsec Scenarios: s2s VPN and Secure Remote Access VPN
• CMC as the certificate lifecycle management protocol
11/10/2003 Pki4ipsec-nov03-agenda
Proposed Charter Items
1. Requirement Document
2. Profile Documents1. Certificate Format & Contents
2. Certificate Usage and IPsec Payloads (IKEv1, IKEv2)
3. Certificate Request/Retrieval by IPsec Peer
4. Certificate Lifecycle Management (renewal, revocation, validation
3. Implementation and Interoperability report
11/10/2003 Pki4ipsec-nov03-agenda
Timeline
• 1 year
11/10/2003 Pki4ipsec-nov03-agenda
Next Steps
11/10/2003 Pki4ipsec-nov03-agenda
BACKUP SLIDES FOLLOW
11/10/2003 Pki4ipsec-nov03-agenda
Open Issues
1. IKEv1 and IKEv2? in one doc or two docs?
2. V1 - Need a way to determine which of potentially many certs is end entity cert. Could send EECert as first one?
3. V1 Should ID_ipv4/v6_addr, ID_FQDN, ID_USER_FQDN all be MUSTs? Right now only _ADDR is MUST. Is that enough for broad interop?
11/10/2003 Pki4ipsec-nov03-agenda
Need ID for…
1. How to find EE cert2. To lookup policy for IKE3. Authentication – understand who the sender
claims to be, and use to verify they are who says they are
4. Authorization - To determine IPsec Access Control and treatment
5. Logging / Auditing – something meaningful to the network/device operations teams
Anything else missing?
11/10/2003 Pki4ipsec-nov03-agenda
Places to Find ID Elements
• IKE ID Payload
• Cert – SubjectAltName types
• Cert – DN fields/types– Any one, or combo
11/10/2003 Pki4ipsec-nov03-agenda
IKEv1 Checking Options
1. Fill in IKE ID payload /w something in Cert SubjectAltName and check that the two match
2. Just present Cert, and let receiving peer’s local policy determine what they extract and use as ID
3. Fill in ID w/ something to match IKE SPD entry on receiving peer, then use some SubjectAltName field (as defined by local policy) to do ACL lookup and IPsec SA setup
11/10/2003 Pki4ipsec-nov03-agenda
IKEv1 and IKEv2
• IKEv1 – we will spend most of our time profiling for IKEv1. We will prioritize this.
• IKEv2
11/10/2003 Pki4ipsec-nov03-agenda
Revocation
• Philosophy question: – Do we profile use of PKI for authorization
11/10/2003 Pki4ipsec-nov03-agenda
Contentious Issues to Decide Issue
• Revocation Method and Impact on Cert contents and IKE payloads
• Identity and its correlation to Authentication and Authorization
• Do Request and Retrieval Impact the format and payloads document? Or orthogonal.